Allow to use kafel_string

diff --git a/cmdline.c b/cmdline.c
index f47e97dc758ac9012d49bf251418f505d2a15951..0a2ad4e7aa56e0e96cc5aa5ede9318f928645a9e 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -315,6 +315,8 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                .iface_vs_ip = "0.0.0.0",
                .iface_vs_nm = "255.255.255.0",
                .iface_vs_gw = "0.0.0.0",
+               .kafel_file = NULL,
+               .kafel_string = NULL,
        };
        /*  *INDENT-OFF* */
 
@@ -397,7 +399,8 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                {{"tmpfs_size", required_argument, NULL, 0x0602}, "Number of bytes to allocate for tmpfsmounts (default: 4194304)"},
                {{"disable_proc", no_argument, NULL, 0x0603}, "Disable mounting /proc in the jail"},
 #if USE_KAFEL
-               {{"seccomp_policy", required_argument, NULL, 0x0901}, "Path to file containing seccomp-bpf policy (see kafel/)"},
+               {{"seccomp_policy", required_argument, NULL, 'P'}, "Path to file containing seccomp-bpf policy (see kafel/)"},
+               {{"seccomp_string", required_argument, NULL, 0x0901}, "String with kafel seccomp-bpf policy (see kafel/)"},
 #endif
                {{"cgroup_mem_max", required_argument, NULL, 0x0801}, "Maximum number of bytes to use in the group (default: '0' - disabled)"},
                {{"cgroup_mem_mount", required_argument, NULL, 0x0802}, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')"},
@@ -418,7 +421,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 
        int opt_index = 0;
        for (;;) {
-               int c = getopt_long(argc, argv, "H:D:c:p:i:u:g:l:t:M:Ndveh?E:R:B:T:I:U:G:", opts,
+               int c = getopt_long(argc, argv, "H:D:c:p:i:u:g:l:t:M:Ndveh?E:R:B:T:P:I:U:G:", opts,
                                    &opt_index);
                if (c == -1) {
                        break;
@@ -663,11 +666,14 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                        nsjconf->cgroup_mem_parent = optarg;
                        break;
 #if USE_KAFEL
-               case 0x901:
+               case 'P':
                        if ((nsjconf->kafel_file = fopen(optarg, "r")) == NULL) {
                                PLOG_F("Couldn't open '%s'", optarg);
                        }
                        break;
+               case 0x0901:
+                       nsjconf->kafel_string = optarg;
+                       break;
 #endif
                default:
                        cmdlineUsage(argv[0], custom_opts);

diff --git a/common.h b/common.h
index ba5920fa2113905a0e1e1f87ac2f94c73880db7a..dd3680f94ca17b033d9a1bfea08cb48712bc4d06 100644 (file)
--- a/common.h
+++ b/common.h
@@ -146,6 +146,7 @@ struct nsjconf_t {
        size_t cgroup_mem_max;
 #if defined(USE_KAFEL)
        FILE *kafel_file;
+       char *kafel_string;
 #endif                         // defined(USE_KAFEL)
         TAILQ_HEAD(envlist, charptr_t) envs;
         TAILQ_HEAD(pidslist, pids_t) pids;

diff --git a/sandbox.c b/sandbox.c
index ac130a76b51a10da559959473d2ada87808848ac..188c706947f7f305cb4946ffee94e9a6772be67b 100644 (file)
--- a/sandbox.c
+++ b/sandbox.c
@@ -39,13 +39,19 @@
 static bool sandboxPrepareAndCommit(struct nsjconf_t *nsjconf __attribute__ ((unused)))
 {
 #if defined(USE_KAFEL)
-       if (nsjconf->kafel_file == NULL) {
+       if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
                return true;
        }
-
        struct sock_fprog seccomp_fprog;
+
        kafel_ctxt_t ctxt = kafel_ctxt_create();
-       kafel_set_input_file(ctxt, nsjconf->kafel_file);
+
+       if (nsjconf->kafel_file != NULL) {
+               kafel_set_input_file(ctxt, nsjconf->kafel_file);
+       } else {
+               kafel_set_input_string(ctxt, nsjconf->kafel_string);
+       }
+
        if (kafel_compile(ctxt, &seccomp_fprog) != 0) {
                LOG_E("Could not compile policy: %s", kafel_error_msg(ctxt));
                kafel_ctxt_destroy(&ctxt);